Detecting unknown malware using sandboxing or anomaly detection

It’s been clear for several years that signature-based anti-virus and Intrusion Prevention / Detection controls are not sufficient to detect modern, fast-changing malware. Sandboxing as become a popular (rightfully so) complementary control to detect “unknown” malware, i.e. malware for which no signature exists yet. The concept is straightforward. Analyze inbound suspicious files by allowing them to run in a virtual machine environment. While sandboxing has been successful, I believe it’s worthwhile to understand its limitations. Here they are:

  • Access to the malware in motion, i.e. on the network, is not always available.
  • Most sandboxing solutions are limited to Windows
  • Malware authors have developed techniques to discover virtualized or testing environments
  • Newer malware communication techniques use random, one-time domains and non-HTTP protocols
  • Sandboxing cannot confirm malware actually installed and infected the endpoint
  • Droppers, the first stage of multi-stage malware is often the only part that is analyzed

Please check out Damballa’s Webcast on the Shortfalls of Security Sandboxing for more details.

Let me reiterate, I am not saying that sandboxing is not valuable. It surely is. However, due to the limitations listed above, we recommend that it be complemented by a log-based anomaly detection control that’s analyzing one or more of the following: outbound DNS traffic, all outbound traffic through the firewall and proxy server, user connections to servers, for retailers – POS terminals connections to servers, application authentications and authorizations. In addition to different network traffic sources, there are also a variety of statistical approaches available including supervised and unsupervised machine learning algorithms.

So in order to substantially reduce the risk of a data breach from unknown malware, the issue is not sandboxing or anomaly detection, it’s sandboxing and anomaly detection.

This post has been cross-posted from

Two views on FireEye’s Mandiant acquisition

There are two views on the significance of FireEye’s acquisition of Mandiant. One is the consensus typified by Arik Hesseldahl, Why FireEye is the Internet’s New Security Powerhouse. Arik sees the synergy of FireEye’s network-based appliances coupled with Mandiant’s endpoint agents.

Richard Stiennon as a different view, Will FireEye’s Acquistion Strategy Work? Richard believes that FireEye’s stock price is way overvalued compared to more established players like Check Point and Palo Alto Networks. While FireEye initially led the market with network-based “sandboxing” technology to detect unknown threats, most of the major security vendors have matched or even exceeded FireEye’s capabilities. IMHO, you should not even consider any network-based security manufacturer that doesn’t provide integrated sandboxing technology to detect unknown threats. Therefore the only way FireEye can meet Wall Street’s revenue expectations is via acquisition using their inflated stock.

The best strategy for a high-flying public company whose products do not have staying power is to embark on an acquisition spree that juices revenue. In those terms, trading overvalued stock for Mandiant, with estimated 2013 revenue of $150 million, will easily satisfy Wall Street’s demand for continued growth to sustain valuations. FireEye has already locked in 100% growth for 2014.

It will probably take a couple of years to determine who is correct.



Researchers Bypass Internet Explorer Protected Mode | threatpost

Researchers Bypass Internet Explorer Protected Mode | threatpost.

A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he’s successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. Protected Mode was introduced in Windows Vista and Internet Explorer 7, and other software vendors have followed Microsoft’s lead, introducing sandboxes in applications such as Adobe Reader X and Google Chrome.

The key points and recommended actions are well summarized in Verizon’s own blog post, Evaluating Protected Mode in Internet Explorer:

Since it is not an official security boundary, Microsoft does not guarantee that it will issue patches for bypasses within the monthly patch-cycle.

It can be recommended that domain administrators consider following the steps below to improve the security of Protected Mode Internet Explorer in the enterprise:

  • Ensure that User Access Control (UAC) is enabled, as disabling it will also disable Protected Mode.
  • Ensure that workstation users cannot run as administrators.
  • Enable Protected Mode for all zones where possible.
  • Disable the Local Intranet Zone, or limit the members of the zone as far as possible.
  • Ensure that third-party software vendors create software which does not incorrectly configure Internet Explorer’s elevation policy and introduce privilege escalation bugs that allow malicious code to escape from Protected Mode.

Microsoft Research Develops Zozzle JavaScript Malware Detection Tool | threatpost

Microsoft Research Develops Zozzle JavaScript Malware Detection Tool | threatpost.

Microsoft Research just released a paper on Zozzle, software they developed to detect certain types of JavaScript malware.

There are two ways Zozzle can be used:

  • In the browser to block malicious JavaScript before it does any damage
  • Scanning websites to detect malware-laden pages which can then be blacklisted

The question is, is this going to be a valuable tool for detecting and stopping malicious JavaScript? For some comments, I went to – Microsoft Builds JavaScript Malware Detection Tool.

Clearly, the slashdot crowd is anti-Microsoft, but it seems to me there was one insightful comment which I have paraphrased: